[supertrope]

IPSec originally ran on raw IP. These days it has to be tunneled in UDP due to TCP or UDP only ossification.

PMTUD breaks when ICMP is blocked.

The same argument can be made that everything but HTTP being blocked is not a problem because everything can be transported on top of HTTP.

[toast0]

It's not nice that pmtud breaks when ICMP isn't available, but sensible probing can do pretty well. Of course, barely anybody probes and they may not be sensible if they do.

Imagine at the beginning of a connection, sending a burst of packets, you could send (ignoring tcp timestamps because it makes the math hard, PAWS is a waste of bytes for most flows, and etc) [0,1460); [1400, 2800), ...

If you get an ack of the first packet, great. If not, you resend it as a 1400 byte payload and probe again in a future burst. Maybe even premptively resend the first packet as a 1400 byte segment after a short delay. Anyway, have enough failed large packets and probe smaller. Probe bigger again every so often if the connection stays open for a meaningful amount of time.

[tptacek]

The same argument is made about HTTP. But at least in the HTTP case, you can point to protocol behavior the middle-layer protocol is enforcing on you. You can't do that with UDP; UDP is just IP, with some ports, and a checksum.